JP2020027508A - Confidential document monitoring device, confidential document monitoring program, and confidential document monitoring system - Google Patents

Abstract

To provide a confidential document monitoring device, a confidential document monitoring program, and a confidential document monitoring system with which, when monitoring a confidential document output process, it is possible to shorten the average processing time needed for monitoring a plurality of output processes, as compared with the case where a determination process for doing monitoring is carried out indiscriminately for a plurality of output processes.SOLUTION: The confidential document monitoring device comprises: a determination unit 34 for determining whether or not an output process corresponds to the process of a previously set content for a monitoring object, the determination unit 34 executing a first determination process and a second determination process that is executed when a determination result that the output process does not correspond to the process for the monitoring object is not obtained, the processing time of the second determination process being longer than for the first determination process; and an action execution unit 36 for executing a previously set action when it is determined in the second determination process that the output process corresponds to the process for the monitoring object.SELECTED DRAWING: Figure 4

Description

  The present invention relates to a confidential document monitoring device, a confidential document monitoring program, and a confidential document monitoring system.

  Patent Document 1 discloses a document registration unit for registering at least one first document, a document input unit for inputting a second document, and a second document input by the document input unit registered in the document registration unit. Determining means for checking whether or not there is a first document registered in the document registration means which matches or is similar to the second document input by the document input means by comparing the first document with the first document registered There is disclosed a document processing apparatus comprising: a document processing unit that performs predetermined processing set in advance based on a determination result by a determination unit on a second document.

 Patent Document 2 includes a document processing device, a document storage server, and a document search server each connected to a network. The document storage server obtains document data of a document processed by the document processing device, stores and stores the document data, A document information monitoring system is disclosed in which a document search server obtains document data and searches whether or not a predetermined keyword is included in the document data.

  Patent Literature 3 discloses a job history management system that suppresses information leakage by accumulating and printing traceable contents of a print job and output contents of an output job from an MFP as job log information. Means for extracting and generating tracking target information from the content printed on the printer, means for extracting and generating tracking target information of an output job in the designated MFP, and storage for storing and managing the information extracted by the extracting means Means, means for transmitting the tracking information extracted by the extracting means to the storing means, means for searching and browsing the extracted information stored in the storing means, and means for storing the tracking target information in the first information device for instructing printing. A job history management system having an extraction unit is disclosed.

JP 2008-042636 A JP 2007-110462 A JP 2008-134822 A

  As a method for monitoring the leakage of a confidential document, for example, image-format data generated when an output process such as a printing process is performed by a printer is recorded as an image-format history, and this is recorded as an image of the confidential document. There is a method of comparing images with format data. If the document printed by such image collation is a confidential document, a measure such as a warning is executed.

  However, although the method of determining a confidential document by image collation has high monitoring effectiveness, it takes time to perform such image collation uniformly for all documents.

  The present disclosure relates to an average process required for monitoring a plurality of output processes when monitoring the output process of a confidential document, as compared with a case where a determination process for monitoring is performed uniformly for a plurality of output processes. An object of the present invention is to provide a confidential document monitoring device, a confidential document monitoring program, and a confidential document monitoring system that can reduce the time.

  In order to achieve the above object, a confidential document monitoring device according to claim 1, wherein a registration unit for registering the document as a confidential document in a storage unit and an output for outputting the document in order to monitor the document for security management. An acquisition unit that acquires a history of an output process indicating that the device has executed an output process, and whether the output process is a process related to a confidential document and corresponds to a process to be monitored with preset contents A first determination process, and a second determination process executed when a determination result that the output process does not correspond to the process to be monitored is not obtained in the first determination process. A determination unit that executes a second determination process that is longer in processing time than the first determination process; and a second determination process that is performed when the output process is determined to correspond to the process to be monitored in the second determination process. The actual action to take And it includes a part, a.

  Further, in the confidential document monitoring device according to the second aspect, in the invention according to the first aspect, the output processing generates the document in image format in which the display content of the document is expressed as an array of a plurality of pixels. The output processing history includes an image format history composed of image format data and a character format history composed of character information, and the first determination process includes the output process history. The second determination process is a process of determining whether or not the output process corresponds to the process to be monitored based on the history of the character format included in the output process. It includes a process of determining whether or not the output process corresponds to the process to be monitored based on the image data of the document.

  Further, in the confidential document monitoring device according to the third aspect, in the invention according to the second aspect, the character-format history includes an operator ID instructed to execute the output process. In the first determination processing, it is determined whether or not the output processing corresponds to the processing to be monitored based on the operator ID.

  A confidential document monitoring device according to a fourth aspect is the invention according to the second or third aspect, further comprising an image conversion unit that converts the confidential document into image format data.

  In a confidential document monitoring device according to a fifth aspect, in the invention according to any one of the first to fourth aspects, the determining unit preliminarily classifies the processes to be monitored into a plurality of types in the second determination process. Based on the classification information, it is determined which of the plurality of types the output process corresponds to, and the execution unit changes the content of the action according to the type to which the output process corresponds.

  In the confidential document monitoring device according to a sixth aspect, in the invention according to the fifth aspect, the countermeasure includes a process of notifying a preset notification destination that the process to be monitored has been executed.

  Further, in order to achieve the above object, a confidential document monitoring program according to claim 7, further comprising: a registration unit for registering the document as a confidential document in a storage unit so as to monitor the document in confidential management; An acquisition unit for acquiring a history of an output process indicating that the output device has performed the output process, and the output process is a process related to a confidential document, and corresponds to a process to be monitored with preset contents. A first determination process, and a second determination process performed when a determination result that the output process does not correspond to the process to be monitored is not obtained in the first determination process. A determination unit that executes a second determination process that is longer in processing time than the first determination process; and a second determination process that determines in advance that the output process corresponds to the process to be monitored in the second determination process. Action taken An execution unit for executing, as a confidential document monitoring device equipped with the computer to function.

  Furthermore, in order to achieve the above object, a confidential document monitoring system according to claim 7, wherein at least one output device including an output unit that executes an output process for outputting a document, and any one of claims 1 to 6. Or the confidential document monitoring device according to claim 1.

  According to the first, seventh, and eighth aspects of the present invention, when monitoring the output processing of a confidential document, the monitoring processing is performed uniformly for a plurality of output processing. In comparison, the average processing time required to monitor a plurality of output processes can be reduced.

  According to the second aspect of the present invention, when monitoring an output process of outputting a confidential document in an image format, the average processing time required for monitoring a plurality of output processes is reduced while suppressing omission of monitoring. Can be.

  According to the third aspect of the present invention, in the first determination processing, the purpose of the first determination processing of narrowing down the targets of the second determination processing can be achieved by a simple and effective method.

  According to the fourth aspect, an external image conversion device is not required.

  According to the fifth aspect, appropriate measures can be taken according to the type of output processing.

  According to the invention of claim 6, appropriate measures can be taken based on the judgment of the monitor.

FIG. 1 is a diagram illustrating an example of a configuration of a confidential document monitoring device and a confidential document monitoring system according to an embodiment. FIG. 2 is a block diagram illustrating an example of an electrical configuration of the confidential document monitoring device according to the embodiment. FIG. 2 is a block diagram illustrating an example of a functional configuration of the confidential document monitoring device according to the embodiment. FIG. 6 is a diagram illustrating the contents of a first determination process and a second determination process of the confidential document monitoring device according to the embodiment. FIG. 5 is a diagram illustrating an example of a monitoring target determination table according to the embodiment. FIG. 4 is a diagram illustrating an example of a text log according to the embodiment. FIG. 5 is a diagram illustrating an example of registered character information of a confidential document according to the embodiment. It is a figure showing an example of the employee information table concerning an embodiment. It is a figure showing an example of the action judgment table concerning an embodiment. 6 is a flowchart illustrating an example of a flow of a monitoring process according to the embodiment. FIG. 9 is a diagram illustrating a first determination example in which only a first determination process is performed and a second determination process is not performed. FIG. 11 is a diagram illustrating a second determination example in which only the first determination process is performed and the second determination process is not performed. FIG. 13 is a diagram illustrating a third determination example in which only the first determination process is performed and the second determination process is not performed.

  Hereinafter, an embodiment of a confidential document monitoring device and a confidential document monitoring system according to the present invention will be described in detail with reference to the drawings.

  FIG. 1 shows a confidential document monitoring system (hereinafter, simply referred to as a monitoring system) 10 which is an example of the embodiment. As shown in FIG. 1, the monitoring system 10 includes a confidential document monitoring server (hereinafter, simply referred to as a monitoring server) 11 and at least one output device 12. In this example, the monitoring system 10 includes a plurality of output devices 12. The monitoring system 10 is installed in a company, for example.

  The output device 12 is an example of an output device that executes an output process of outputting the document 17. The output device 12 has, for example, at least three functions of copy, print, and facsimile (facsimile), and executes three output processes of a copy process, a print process, and a facsimile process.

  The document 17 is created, for example, by the terminal device 19 used by employees in the company. The document 17 includes, for example, at least one of characters (including symbols and numbers), graphics, drawings, and tables. Classification by type, which is a type corresponding to the content of the document 17, includes, for example, a management document in which the content (including financial content) related to management in the company is recorded, and technical content of a product or service developed by the company. There are types such as related technical documents and other general documents. The document 17 created in the company is managed by the document management server 21, for example.

  The document 17 includes document data 17A, which is data relating to the content of the document 17, and additional information 17B attached to the document data 17A. The document data 17A includes data representing text, graphics, drawings, tables, and the like. On the other hand, the supplementary information 17B includes, for example, information on attributes of the document 17, such as the creator of the document 17, the department to which the creator belongs, the date and time of creation, and the type of the document 17. Further, the supplementary information 17B includes, for example, information indicating the disclosure range of the document 17, such as confidential and confidential.

  The document management server 21 has a document DB (database) 22 that stores the documents 17. The document management server 21 is communicably connected to the terminal device 19, and stores the document 17 received from the terminal device 19 in the document DB 22 in response to a storage request from the terminal device 19. Further, the document management server 21 distributes the document 17 in the document DB 22 to the terminal device 19 based on a distribution request from the terminal device 19.

  Further, the document management server 21 has a function of transmitting a registration request to the monitoring server 11 to register the designated document 17 as the confidential document 18 based on an instruction from the terminal device 19. ing. By using such a function, for example, a document 17 to be monitored for security management in a company is registered as a security document 18 in the monitoring server 11. Note that the registration request for the confidential document 18 may be directly transmitted from the terminal device 19 without passing through the monitoring server 11.

  The output device 12 receives an execution instruction of the output process, and executes the output process based on the content of the received execution instruction. For example, the output device 12 executes copy processing as output processing when the content of the execution instruction is copy, and executes FAX processing as output processing when the content of the execution instruction is FAX. The instruction to execute the output processing may be input to the output device 12 through the operation of the terminal device 19 in addition to the case where the operator directly operates the output device 12 to input. When operating the output device 12, an operator ID (Identification Data), which is identification information of the operator, is input to the output device 12. The output device 12 receives the input of the operator ID and executes an output process.

  When executing the output process, the output device 12 outputs the log 13 and transmits the output log 13 to the monitoring server 11. The log 13 is an example of an output processing history indicating that the output processing has been executed.

  The monitoring system 10 monitors the leakage of the confidential document 18 in the company by monitoring the output processing in the output device 12. The monitoring server 11 and the plurality of output devices 12 are communicably connected. The monitoring server 11 is an example of a confidential document monitoring device.

  The monitoring server 11 is communicably connected to a log DB (database) 14 and a confidential document registration DB 16. The log DB 14 stores the logs 13 received from the output devices 12 by the monitoring server 11. The log 13 has an image log 13A and a text log 13B.

  The output processing executed by the output device 12 includes a copy processing, a print processing, a facsimile processing and the like. Includes processing to generate. The image format data is, for example, bitmap format data or a raster image. The image log 13A is an example of a history of an image format including data in the image format generated in the output processing. The text log 13 </ b> B is a log in which the output device 12 expresses the execution contents of the output process in text, and is an example of a character-format history composed of character information.

  The confidential document registration DB 16 stores a document 17 to be monitored for confidentiality management as a confidential document 18. The confidential document registration DB 16 is an example of a storage unit. The monitoring server 11 collates the log 13 received from the output device 12 with the confidential document 18 registered in the confidential document registration DB 16. The confidential document 18 includes a collation image 18A and registered character information 18B. The collation image 18A is data in an image format such as the bitmap format and the raster image described above, and is data that can be collated with the image log 13A. As will be described later, the registered character information 18B includes information indicating attributes of the confidential document 18, such as the creation date and time of the confidential document 18, the creator, and the type of the document.

  As shown in FIG. 2, an example of an electrical configuration of the monitoring system 10 according to the present embodiment is shown. The monitoring server 11 is configured by a general-purpose computer such as a server computer and a personal computer, for example. As shown in FIG. 2, the monitoring server 11 includes a main control unit 110, a communication unit 112, an input device 114, a display 116, and an external I / F (Interface) 118.

  The main control unit 110 includes a CPU (Central Processing Unit) 120, a memory 122, a storage device 124, a bus line 126, and an I / O (input / output interface) 128. The CPU 120, the memory 122, and the storage device 124 are connected via a bus line 126. An I / O 128 is connected to the bus line 126.

 The CPU 120 controls the monitoring server 11 as a whole. The memory 122 is a volatile memory used as a work area or the like when executing various programs, and an example of the memory 122 is a random access memory (RAM). The storage device 124 stores, for example, a program for controlling basic operations of the monitoring server 11 and data such as various parameters. Examples of the storage device 124 include a hard disk drive (HDD), a solid state drive (SSD), an electrically erasable and programmable read-only memory (EEPROM), and a flash memory.

  The communication unit 112 is connected to the I / O 128 and the communication network 129. The communication unit 112 controls transmission and reception of information via the communication network 129. The communication network 129 includes a LAN (Local Area Network), the Internet, a WAN (Wide Area Network) using a public telephone line or a dedicated line, and the like.

  The external I / F (Inter Face) 118 is, for example, an interface such as an ATA (AT Attachment) standard connector and a USB (Universal Serial Bus) connector. In the external I / F 118, for example, a peripheral device such as an external storage device 24 in which the log DB 14 and the confidential document registration DB 16 are stored is connected to an ATA standard connector.

  The display 116 is connected to the I / O 128, and displays various information including an operation screen constituting a GUI (Graphical User Interface) under the control of the CPU 120.

  The input device 114 includes a mouse, a keyboard, and the like, and is an input device for inputting operation instructions. The input device 114 is connected to the I / O 128, and the CPU 120 receives various operation instructions through the input device 114.

  The storage device 124 stores an application program (AP) 130. The AP 130 includes a confidential document monitoring program that causes a computer to function as the monitoring server 11. The confidential document monitoring program included in the AP 130 is an example of an embodiment of the program according to the present invention.

  The document management server 21 is also configured by a general-purpose computer such as a server computer, for example. An example of the electrical configuration of the document management server 21 is also the same as that of the monitoring server 11, and a detailed description thereof will be omitted.

  In this example, a network storage device accessible via the communication network 129 may be used for the document management server 21 instead of a general-purpose computer. Examples of network storage devices include NAS (Network Attached Storage) and SAN (Storage Area Network).

  In the monitoring server 11 of this example, the log DB 14 and the confidential document registration DB 16 are stored in the external storage device 24 connected to the external I / F 118. However, as the external storage device 24, a network storage device such as a NAS and a SAN that can be accessed via the communication network 129 may be used. Further, instead of storing the log DB 14 and the confidential document registration DB 16 in a mere external storage device, the log DB 14 and the confidential document registration DB 16 may be stored in a server computer such as a database server like the document DB 22.

  The output device 12 includes an output unit 12A and an output control unit 12B. The output unit 12A performs a copy process, a print process, and a facsimile process. When outputting the document 17, the output unit 12 </ b> A performs a process of generating image format data based on the document 17. The output control unit 12 </ b> B receives an output processing execution instruction input by the operator from the operation panel and the terminal device 19. The output control unit 12B controls the output unit 12A to execute the output process of the specified document 17 based on the content of the execution instruction. The output control unit 12B transmits the log 13 to the monitoring server 11 when the output unit 12A executes the output processing.

  As shown in FIG. 3 as an example, in the monitoring server 11, when the CPU 120 executes a confidential document monitoring program, which is one of the APs 130, the obtaining unit 31, the document registration unit 32, the log registration unit 33, the determination unit 34, It functions as an action execution unit 36 and an image conversion unit 35.

  The acquisition unit 31 receives the log 13 from the output device 12 and transmits the log 13 to the log registration unit 33. The acquisition unit 31 is an example of an acquisition unit that acquires a history of an output process indicating that the output device 12 that outputs a document has executed the output process. The acquisition unit 31 transmits a log reception notification when receiving the log 13. Further, the acquisition unit 31 receives the registration request for the document 17 from the document management server 21 and transmits the document 17 and the registration request to the document registration unit 32.

  The document registration unit 32 receives the registration request for the document 17 and registers the document 17 to be registered as the confidential document 18 in the confidential document registration DB 16. The document registration unit 32 is an example of a registration unit that registers the document 17 as a confidential document 18 in the confidential document registration DB 16 which is an example of a storage unit, in order to make the document 17 a monitoring target for confidential management.

  The image conversion unit 35 converts the document data 17A of the document 17 to be registered as the confidential document 18 into a collation image 18A that is image format data. The image conversion unit 35 is an example of an image conversion unit that converts a confidential document into image format data. As described above, when the document 17 is registered as the confidential document 18, the document data 17A is converted into the collation image 18A and stored in the confidential document registration DB 16.

  The document registration unit 32 stores the registered character information 18B in the confidential document registration DB 16. The log registration unit 33 registers the log 13 received from the acquisition unit 31 in the log DB 14.

  The storage device 124 stores an employee information table 37, a monitoring target determination table 38, and an action determination table 39. The employee information table 37 and the monitoring target determination table 38 are referred to by the determination unit 34. The action determination table 39 is referred to by the action execution unit 36.

  The determination unit 34 detects that the output device 12 has performed the output process by the log reception notification. The determination unit 34 is an example of a determination unit that determines whether the output process performed by the output device 12 is a process related to the confidential document 18 and corresponds to a process of a monitoring target whose content is set in advance. is there. The determination unit 34 executes, for example, a first determination process and a second determination process. The first determination process is a process performed prior to the second determination process. The second determination process is a process performed when a determination result that the output process does not correspond to the process to be monitored is not obtained in the first determination process, and has a longer processing time than the first determination process.

  In this example, the processes to be monitored are classified in advance into a plurality of types, as described later. The determination unit 34 determines which of the plurality of types of monitoring target processing the output processing corresponds to when the output processing is determined to correspond to monitoring target processing in the second determination processing.

  The action execution unit 36 is an example of an execution unit that executes a preset action (action) when it is determined in the second determination process that the output process corresponds to the process to be monitored. Further, the action execution unit 36 refers to the action determination table 39, and changes the content of the action (action) according to the type of the monitoring target process to which the output process corresponds.

  As shown in FIG. 4, the first determination process executed by the determination unit 34 is, specifically, based on a text log 13B that is a character format history included in the log 13 that is a history of the output process. Is a process of determining whether or not the process corresponds to the process to be monitored. In the second determination process, specifically, the output process is monitored based on the image log 13A, which is the history of the image format included in the log 13, and the collation image 18A, which is the image format data of the confidential document 18. It includes a process of determining whether or not the process corresponds to the target process.

  In short, the first determination process is a determination process based on character information, and the second determination process is a determination process including image matching. The image matching includes, for example, a process of extracting a morphological feature amount for each image to be compared and comparing the extracted feature amounts. The processing time of such image matching is longer than the time required for searching and comparing character information. Therefore, in this example, the processing time of the second determination processing including image matching is longer than that of the first determination processing not including image matching.

  The determination unit 34 refers to the monitoring target determination table 38 and the employee information table 37 in the first determination processing and the second determination processing. The determination unit 34 refers to the monitoring target determination table 38 in the risk level determination process. The action execution unit 36 refers to the action determination table 39 in the action content determination process.

  As shown in FIG. 5, the monitoring target determination table 38 mainly defines the contents of the output processing corresponding to the processing to be monitored. The process to be monitored is a process that is assumed to have a high risk of confidentiality management within the company, such as the risk (risk) of the confidential document 18 leaking outside the company. For example, an act that a prospective retiree facsimiles a technical document outside the company is considered to be highly likely to be carried out by a prospective retiree to bring in a technical document to the company to which he / she is relocating. Is considered high.

  Further, there is also a fact that when the confidential document 18 is leaked, most of the confidential document 18 is taken out on a paper medium. In view of such facts, it is considered that an act of copying or printing a technical document by a prospective retiree and outputting it to a paper medium is an act with a high risk of confidentiality management. In addition, it is considered that an act of copying a document having a limited disclosure range by an employee outside the disclosure range also poses a high risk of confidentiality management. Of course, even if an act of copying technical documents is performed by an employee who is within the scope of disclosure of technical documents, such as a member of a project that develops the technology, the act of copying is usually performed. Does not apply.

  As described above, whether or not the output process corresponds to the process to be monitored is determined by the position of the operator of the output device 12, which is the subject instructing the output process, and the type of the document 17 (management document, financial document, other document, etc.). And the type of output processing (copy processing, print processing, facsimile processing, etc.). The monitoring target determination table 38 enumerates the actions assumed to have a high risk of confidentiality management as output processing to be executed by the output device 12, and defines the enumerated processing.

  In the monitoring target determination table 38, the contents of the output processing corresponding to the processing of the monitoring target are classified into a plurality of types according to the risk level indicating the degree of risk. In the example shown in FIG. 5, the risk levels are classified into four types from "A" to "D".

  The processing of the monitoring target whose risk level is classified as “A” includes the above-mentioned processing such as “a document confidential or confidential has been copied, printed, or faxed outside the company by a prospective retired employee”. The monitoring target process whose risk level is classified as “B” includes a process such as “a general confidential or confidential document has been copied, printed, or faxed outside the company”. The process of the monitoring target whose risk level is classified as “C” includes a process such as “an officer of Group B has faxed a confidential document outside the company”. The process of the monitoring target whose risk level is classified as “D” includes a process such as “a confidential document has been faxed outside by a member of the group A”.

  In addition, in the example illustrated in FIG. 5, the process in which the risk level is classified as “E” is out of the monitoring target process. In the output process with the risk level of “E”, the processes illustrated in FIG. 5 include “documents (including management documents and technical documents) copied or printed by officers” and “general documents copied and printed”. Or it was faxed outside the company. " In FIG. 5, the processing in which the risk level is classified as “E” is merely an example, and the processing other than the processing illustrated in FIG. 5 has the risk level other than the four types “A” to “D”. Output processing does not correspond to monitoring target processing.

  As described above, the monitoring target determination table 38 is an example of the classification information in which the processing of the monitoring target is classified into a plurality of types (a plurality of risk levels in this example) in advance. The determination unit 34 determines whether or not the output processing corresponds to the processing to be monitored, based on the monitoring target determination table 38. In addition, the determination unit 34 determines which risk level (type) among the plurality of risk levels corresponding to the plurality of types, based on the monitoring target determination table 38 which is an example of the classification information. judge.

  As shown in FIG. 6, the text log 13B of the log 13 includes, for example, an output date and time, an operator ID, a device ID that has executed the output process, a document ID, a process type, an output destination (eg, a facsimile destination), and OCR (Optical Character Recognition) text is included. The operator ID is, for example, employee identification information, such as an employee number, assigned to an employee within the company. The device ID is identification information given to each output device 12. The document ID is, for example, the file name of the document 17. The OCR text is text data that is obtained by performing an OCR process on the image log 13A, which is data in an image format, and recognizing it.

  As shown in FIG. 7, the registered character information 18B of the confidential document 18 includes, for example, creation date and time, document ID, creator (creator ID and creator name), document type, disclosure range, and keywords. Information indicating the attribute of the confidential document 18 is included. The disclosure range is specified by, for example, information such as management, persons involved in the A project, confidential, and confidential. The keyword is, for example, arbitrarily specified character information.

  The registered character information 18B includes character information input when the document 17 is registered as the confidential document 18 in addition to the supplementary information 17B included in the document 17 stored in the document DB 22. The registered character information 18B can be additionally registered even after the confidential document 18 is registered. As a storage format of the registered character information 18B, for example, it is stored as a file different from the data file of the collation image 18A of the confidential document 18. Of course, the registered character information 18B may be stored as supplementary information in the data file of the matching image 18A.

  As shown as an example in FIG. 8, the employee information table 37 has an employee ID, a name, a position, and other items, and information of these items is recorded for each employee. The employee ID is, for example, identification information given in the company, such as an employee number, like the operator ID. As other items, for example, a retirement schedule including the retirement date and time is recorded.

  As shown in FIG. 9, the action determination table 39 is a table that defines the content of an action (coping) for each risk level. The action execution unit 36 refers to the action determination table 39 and determines the content of the action according to the risk level determined by the determination unit 34. Then, the action execution unit 36 executes the determined action. The action execution unit 36 is an example of an execution unit that determines the content of an action (coping) according to the risk level (type) to which the output process corresponds.

  In the action determination table 39 of this example, when the risk level of the process to be monitored is “A”, an action such as “notify the entry / exit management system and invalidate the operator's ID card” is defined. Is done. The entry / exit management system is a system that controls the opening and closing of doors in each room where an employee is present. For example, a system that unlocks a door by holding a valid ID card over a card reader installed near the door. In the action in which the risk level is “A”, the ID card is invalidated to prevent the operator from going outside the room.

  According to the action whose risk level is “A”, when the output processing is printing and copying of the confidential document 18, the leakage of the confidential document 18 to the outside is prevented. When the output process is a fax to the outside of the company, the situation is immediately heard from the operator.

  When the risk level of the process to be monitored is “B” and “C”, in this example, “notify the administrator of the department to which the operator belongs and the system administrator who manages the in-house system by email”, “ An action such as "notify the system administrator by e-mail" is taken. When the risk level is “B” or “C”, the urgency is considered to be lower than when the risk level is “A”. A follow-up hearing of the person is conducted.

  If the risk level of the process to be monitored is “D”, for example, an action such as “notify another officer other than the operator” is taken. As a result, the situation is heard by another officer. It may be appropriate for executive actions to be handled between officers. Such actions are taken for such actions.

  When the risk level that does not correspond to the process to be monitored is “E”, the history of the output process is simply recorded in the event log of the monitoring server 11 without performing any special action.

  Hereinafter, the operation of the monitoring system 10 according to the above embodiment will be described with reference to the flowchart shown in FIG. 10 and the determination examples shown in FIGS. When the monitoring server 11 is started, a monitoring process is started. When the monitoring process is started, the monitoring server 11 waits for the output device 12 to receive the log 13 of the output process, as shown in step S1001. When an output process such as copying, printing, or facsimile is executed in the output device 12, a log 13 of the output process is transmitted from the output device 12 to the monitoring server 11. When the monitoring server 11 receives the log 13 through the acquisition unit 31 (Y in step S1001), the log registration unit 33 stores the log 13 in the log DB 14.

  In step S1002, the determination unit 34 starts the first determination process based on the log reception notification transmitted from the acquisition unit 31. The determination unit 34 performs a determination based on character information in the first determination process. Specifically, in the first determination process, the determination unit 34 uses character information such as the text log 13B included in the received log 13 and the registered character information 18B of the confidential document 18. Based on such character information, the determination unit 34 determines whether the output process corresponds to any of the monitoring targets whose risk level is “A” to “D” specified in the monitoring target determination table 38. Is determined.

  In the first determination process, when a determination result that the output process does not correspond to the process to be monitored is not obtained (N in step S1003), the determination unit 34 proceeds to step S1004 and performs the second determination process. That is, in the first determination process, when the possibility that the output process corresponds to the process to be monitored cannot be denied (when there is a possibility), the determination unit 34 performs the second determination process.

  On the other hand, in the first determination process, when a determination result that the output process does not correspond to the process to be monitored is obtained (Y in step S1003), the determination unit 34 does not proceed to step S1004 in which the second determination process is performed. Then, the process proceeds to step S1008. That is, in the first determination process, when the possibility that the output process corresponds to the process to be monitored can be denied (when there is no possibility), the determination unit 34 does not perform the second determination process.

  FIGS. 11 to 13 show examples of a determination example in which in the first determination processing, a determination result indicating that there is no possibility that the output processing corresponds to the processing to be monitored is obtained (Y in step S1003), and the second determination processing is not performed. It is an example. That is, in the determination examples of FIGS. 11 to 13, it is determined that there is no possibility that the output process corresponds to the process to be monitored only by the first determination process based on the character information, and the processing time is longer than the first determination process. It is an illustration of a determination example in which it is not necessary to perform a long second determination process.

  First, in the determination example shown in FIG. 11, the determination unit 34 acquires (1) the text log 13B, reads out the operator ID from the text log 13B, and (2) sets the position corresponding to the operator ID, A search is made from the employee information table 37. In the example shown in FIG. 11, the position corresponding to the operator ID is “executive of group A”. Next, the determination unit 34 uses the post “Executive of Group A” and the process type “print” read from the text log 13B as keywords, and (3) the output process corresponds to Searches for monitoring target processes that may be performed.

  In the monitoring target determination table 38 illustrated in FIG. 5, the output process in which the “executive of the group A” “prints” the document 17 is performed when the risk level is “A” regardless of the type of the document 17. It does not correspond to the monitoring target process of “D”. Therefore, at this point, the determination unit 34 determines, as the determination result of the first determination process, that the output process of the acquired text log 13B has no (4) possibility of being applicable to the process to be monitored.

  The second determination process is performed when a determination result that the output process does not correspond to the process to be monitored is not obtained in the first determination process (N in step S1003 in FIG. 10). In the case of FIG. 11, in the first determination process, a determination result that the output process does not correspond to the process to be monitored is obtained (Y in step S1003 of FIG. 10). 34 proceeds to step S1008.

  The determination example illustrated in FIG. 11 illustrates an example in which, in the first determination process, only the text log 13B included in the log 13 is used as the character information. However, the determination examples shown in FIGS. 12 and 13 are examples in which the registered character information 18B of the confidential document 18 is used as the character information in addition to the text log 13B.

  First, in the determination example shown in FIG. 12, the determination unit 34 acquires (1) the text log 13B, reads out the operator ID from the text log 13B, and (2) sets the position corresponding to the operator ID, A search is made from the employee information table 37. In the example shown in FIG. 12, the position corresponding to the operator ID is “general employee and retired employee”.

  Next, since the text log 13B includes the OCR text, the determination unit 34 attempts to (3) specify the type of the document 17 based on the OCR text, for example. FIG. 12 shows an example in which the type of the document 17 is specified as a technical document based on the OCR text. For example, in the following cases, the determination unit 34 specifies the document 17 as a technical document from the OCR text. It is assumed that when the determination unit 34 searches for a character string in the OCR text, a keyword related to a management document cannot be extracted and only a keyword related to a technical term can be extracted. In such a case, the determination unit 34 specifies the type of the document 17 as a technical document. Further, in this example, it is assumed that a word such as “confidential” or “confidential” is not extracted from the OCR text.

  Next, the determination unit 34 sets the output processing from the (4) monitoring target determination table 38 using the post “general employee and retired employee”, the processing type “print”, and the type of the document 17 “technical document” as keywords. Is searched for the presence or absence of a process of a monitoring target that may be applicable. In the monitoring target determination table 38 illustrated in FIG. 5, the output process of “the retired employee prints a technical document” corresponds to the monitoring target process whose risk level is “A”. Therefore, at the time of (4), the determination unit 34 determines that the output process is likely to correspond to the process to be monitored.

  Next, the determination unit 34 searches the (5) confidential document registration DB 16 for the presence or absence of a technical document based on the registered character information 18B of the confidential document 18. In the example shown in FIG. 12, no technical document is registered as the confidential document 18 in the confidential document registration DB 16. Even if the document 17 is specified as a technical document from the OCR text, the document 17 that is not registered as the confidential document 18 is excluded from the monitoring target. Therefore, at this time, the determination unit 34 determines, as the determination result of the first determination process, that the output process of the acquired text log 13B has no possibility of (6) the possibility of being applicable to the process to be monitored.

  In the determination example of FIG. 12, in the first determination process, a determination result that the output process does not correspond to the process to be monitored is obtained (Y in step S <b> 1003 of FIG. 10), and the determination is performed without performing the second determination process. The unit 34 proceeds to step S1008.

  In the determination example illustrated in FIG. 13, the determination unit 34 (1) acquires the text log 13B, reads the operator ID from the text log 13B, and (2) identifies the position corresponding to the operator ID in the employee information. Search from the table 37. In the example illustrated in FIG. 13, the position corresponding to the operator ID is “department manager”.

  Next, since the text log 13B includes the OCR text, the determination unit 34 tries (3) to specify the type of the document 17 based on the OCR text. FIG. 13 shows an example in which the type of the document 17 is specified as a technical document, as in FIG.

  Next, the determination unit 34 uses the post “department manager”, the processing type “FAX”, and the type “technical document” of the document 17 as keywords, and (4) the output processing corresponds from the monitoring target determination table 38. Search for possible monitoring targets. In this example, the determination unit 34 determines that the destination of the fax is outside the company based on the fax number. In the monitoring target determination table 38 illustrated in FIG. 5, the output process of “the employee outside the disclosure range faxes the technical document outside the company” corresponds to the monitoring target process with the risk level “A”. Therefore, at the time of (4), the determination unit 34 determines that the output process is likely to correspond to the process to be monitored.

  Next, based on the registered character information 18B of the confidential document 18, the determination unit 34 uses the post “department manager (including the name of the development unit)”, the document ID, and the “technical document” as keywords. The document registration DB 16 is searched for the presence or absence of the corresponding document 17.

  When the registered confidential document 18 is extracted based on the document ID, the determining unit 34 determines the disclosure range of the extracted confidential document 18 in the registered character information 18B and the post of the operator “Development Section Manager (Development Section Manager). Department name). By this comparison, the determination unit 34 obtains a determination result that the operator is included in the disclosure range in this example. Therefore, at this time, the determination unit 34 determines, as the determination result of the first determination process, that the output process of the acquired text log 13B has no possibility of (6) the possibility of being applicable to the process to be monitored.

  In the determination example of FIG. 13, since the determination result that the output process does not correspond to the process to be monitored is obtained in the first determination process (Y in step S <b> 1003 of FIG. 10), similar to the determination example of FIG. The determination unit 34 proceeds to step S1008 without performing the second determination process.

  In FIG. 10, in step S1008, the action execution unit 36 records the fact that the output process has been performed in the event log of the monitoring server 11. Then, in step S1009, when the termination condition is satisfied (Y in step S1009), the CPU 120 terminates the operation of the monitoring server 11, and when the termination condition is not satisfied (N in step S1009), the next output processing is performed. Log 13 (step S1001). Here, the termination condition is, for example, that an abnormality has occurred in the monitoring server 11 and an emergency stop is required, and that an operation instruction to stop the monitoring server 11 has been input.

  On the other hand, in the first determination process of step S1003, when a determination result that the output process does not correspond to the process to be monitored is not obtained (N in step S1003), the determination unit 34 proceeds to step S1004, and proceeds to step S1004. Execute the judgment process.

  In the second determination process shown in step S1004, the determination unit 34 performs image collation between the image log 13A and the collation image 18A, and determines whether the output process corresponds to the process to be monitored. When it is determined in the second determination process that the output process does not correspond to the process to be monitored (N in step S1005), the determination unit 34 proceeds to step S1008.

  On the other hand, when it is determined in the second determination process of step S1004 that the output process corresponds to the process to be monitored (Y in step S1005), the determination unit 34 proceeds to step S1006.

  In step S1006, first, the determination unit 34 determines the risk level of the process of the monitoring target determined to correspond in step S1004 based on the monitoring target determination table 38. Then, the determined risk level is transmitted to the action execution unit 36. The action executing unit 36 determines the content of the action corresponding to the risk level with reference to the action determination table 39 based on the received risk level.

  For example, in the second determination process of step S1004, when the risk level of the process of the monitoring target that is determined to correspond to the output process is “A”, the determination unit 34 executes the determined risk level “A” by executing the action. To the unit 36. The action execution unit 36 refers to the action determination table 39 based on the received risk level “A” and determines the content of the action corresponding to the risk level “A”.

  In step S1007, the action execution unit 36 executes the action having the determined content. In the action determination table 39 shown in FIG. 9, the content of the action corresponding to the risk level “A” is “notify the entry / exit management system and invalidate the operator's ID card”. The action execution unit 36 transmits an operator ID and a command requesting invalidation of the ID card of the operator ID to the entry / exit management system. The entry / exit management system invalidates the received ID card of the operator ID based on the invalidation request. Such an action (response) prevents the operator who instructed the process of the monitoring response from going outside the room. When the risk level is “A”, the action execution unit 36 also performs an action of notifying the system administrator and the administrator of the department to which the operator belongs in addition to the above actions.

  Similarly, when the risk level is “B” to “D” in step S1007, the action execution unit 36 sets the operator ID of the operator who instructed the output process corresponding to the process to be monitored in advance. Notify the notification destination by e-mail. The notification destination set in advance is a notification destination specified in the action determination table 39, such as a system administrator. As a result, appropriate measures are taken based on the judgment of a monitor such as a system administrator.

  In the monitoring server 11 of the present example, the average processing time required for monitoring a plurality of output processes is reduced as compared with the case where the determination process for monitoring is performed uniformly for a plurality of output processes.

  For example, when monitoring the output process of the confidential document 18, the second determination process including image matching as the determination process for monitoring has a longer processing time than the first determination process. The monitoring server 11 of the present example first executes a first determination process based on character information that has a shorter processing time than the second determination process, as a determination process for performing monitoring. Then, the monitoring server 11 executes the second determination process only when a determination result that the output process does not correspond to the process to be monitored is not obtained in the first determination process. In other words, the first determination processing having a relatively short processing time is executed before the second determination processing having a long processing time, and the target for executing the second determination processing is limited. Thereby, as compared with the case where the second determination process having a relatively long processing time is performed uniformly for the plurality of output processes, the average process required for monitoring the plurality of output processes is performed as the determination process for monitoring. Processing time is reduced.

  In addition, the monitoring server 11 monitors the process of outputting the confidential document 18 as image format data, such as copy, print, and facsimile, as the process to be monitored. The log 13 which is a history of the output process includes an image log 13A corresponding to an image format history composed of image data and a text log 13B corresponding to a character format history composed of character information. Contains. In this example, the first determination process is a determination process based on the text log 13B, and the second determination process is a determination process based on the image log 13A.

  When monitoring the output processing of the confidential document 18 as in the present example, performing the second determination processing including image matching is a reliable monitoring method, but the processing time is long. The monitoring server 11 of the present example narrows down the targets of the second determination processing having a long processing time by performing the first determination processing based on the character information. For this reason, the monitoring server 11 of the present example reduces the average processing time required for monitoring a plurality of output processes, while suppressing the monitoring omission of the output process of the confidential document 18.

  In the above example, the text log 13B, which is a history in the character format, includes the operator ID who instructed the execution of the output process. The determination unit 34 determines whether or not the output process corresponds to the process to be monitored based on the operator ID in the first determination process. The operator ID is simple information having a relatively small number of characters, but is effective information for specifying the subject who instructed execution of the output process. By using such an operator ID for the first determination process, the purpose of the first determination process of narrowing down the targets of the second determination process is effectively achieved by a simple method.

  In the above example, the second determination process may be any process including image matching, and may perform a determination based on character information in addition to image matching. As an example of performing the determination based on the character information in addition to the image matching in the second determination process, for example, the following case can be considered.

  For example, in the second determination process, there is a case where the registered character information 18B is checked after performing image matching between the image log 13A and the matching image 18A. In this case, for example, a case is considered in which a result of image collation obtains a determination result that the output-processed document 17 corresponds to the confidential document 18. Even in such a case, as a result of examining the registered character information 18B, if the operator is included in the disclosure range of the confidential document 18, the judgment result finally indicates that the process does not correspond to the monitoring target process. In some cases.

  In the example illustrated in FIG. 13, in the first determination process, an example is described in which the operator determines that the confidential document 18 is within the disclosure range based on the registered character information 18 </ b> B. Instead of the processing, the registered character information 18B may be used in the second determination processing.

  Further, in the above example, the image conversion section 35 is provided which converts the confidential document 18 into a collation image 18A which is image format data based on the document data 17A included in the document 17. Therefore, an image conversion device external to the monitoring server 11 is not required.

  Further, in the above example, in the second determination process, as shown in the monitoring target determination table 38 of FIG. 5, the determination unit 34 converts the processing of the monitoring target into classification information such as a risk level, which has been classified into a plurality of types in advance. Based on this, it is determined which of the plurality of types the output process corresponds to. Then, the action execution unit 36, which is an example of the execution unit, changes the content of the action (response) according to the type (risk level) to which the output process corresponds. Therefore, in monitoring the output processing, appropriate measures are taken according to the type (risk level) of the output processing.

  In the above example, the registered character information 18B is used in addition to the text log 13B as the character information mainly used in the first determination processing. The registered character information 18B includes, for example, information that is arbitrarily input when the confidential document 18 is registered, in addition to the accompanying information 17B included in the document 17 in the document DB 22. At the time when the document 17 is stored in the document DB 22, the supplementary information 17 </ b> B includes various information related to the attributes of the document 17. Further, the registered character information 18B can be arbitrarily added when the confidential document 18 is registered. By using such registered character information 18B for monitoring, the content of the first determination process based on the character information becomes more effective than when only the text log 13B is used as the character information. In addition, by using the additional registration function of the registered character information 18B, the content of the first determination processing is flexibly changed.

  Further, in the above example, an example will be described in which the entire document 17 to be registered as the confidential document 18 is to be monitored. For example, a part of the document 17 is registered as the confidential document 18 and the registered portion is to be monitored. Is also good. In this case, for example, the part to be monitored may be specified by the registered character information 18B. As a method of specifying a part to be monitored in the registered character information 18B, for example, a part to be monitored in the document 17 is specified by a page number. In the registered character information 18B, a part to be monitored may be specified, or a part other than the part to be monitored may be specified.

  As described above, the monitoring server 11 as an example of the confidential document monitoring device and the monitoring system 10 as an example of the confidential document monitoring system have been described as the embodiments. The confidential document monitoring program has been described as an example of the AP 130. As an embodiment, a computer-readable storage medium storing a confidential document monitoring program may be used. Examples of the storage medium include an optical disk such as a CD (Compact Disc) -ROM (Read-Only Memory) and a DVD (Digital Versatile Disc) -ROM, or a semiconductor memory such as a USB memory and a memory card. Further, the program may be obtained from an external device via a communication line.

  The configurations of the confidential document monitoring device, the confidential document monitoring system, and the confidential document monitoring program described in the above-described embodiment are merely examples, and may be changed according to circumstances without departing from the gist of the invention.

  The processing flow described in the above embodiment is also an example, and unnecessary steps may be deleted, new steps may be added, or the processing order may be changed without departing from the gist of the processing.

  Further, in the above-described embodiment, a case will be described in which various processing units (acquisition unit, registration unit, determination unit, execution unit, and the like) according to the embodiment are realized by cooperation of a CPU and software by executing a program. However, it is not limited to this. All or some of the various processing units according to the embodiment may be realized by, for example, a programmable logic device such as an FPGA (Field-programmable Gate Array) and hardware such as an ASIC (Application Specific Integrated Circuit).

Reference Signs List 10 monitoring system 11 monitoring server 12 output device 12A output unit 12B output control unit 13 log 13A image log 13B text log 14 log DB
16 Confidential document registration DB
17 Document 17A Document Data 17B Additional Information 18 Confidential Document 18A Image for Collation 18B Registered Character Information 19 Terminal 21 Document Management Server 22 Document DB
24 external storage device 31 acquisition unit 32 document registration unit 33 log registration unit 34 determination unit 35 image conversion unit 36 action execution unit 37 employee information table 38 monitoring target determination table 39 action determination table 110 main control unit 112 communication unit 114 input device 116 Display 118 External I / F
122 memory 124 storage device 126 bus line 129 communication network

Claims (8)

A registration unit for registering the document as a confidential document in the storage unit in order to make the document a monitoring target for security management;
An acquisition unit that acquires a history of the output process indicating that the output device that outputs the document has executed the output process,
A determination unit configured to determine whether the output process is a process related to the confidential document and corresponds to a process of a monitoring target whose content is set in advance; a first determination process; In the determination process, a second determination process is performed when a determination result that the output process does not correspond to the process to be monitored is not obtained, and the second determination process is longer than the first determination process. A determining unit for performing the processing;
An execution unit that executes a preset measure when it is determined in the second determination processing that the output processing corresponds to the monitoring target processing;
Confidential document monitoring device. The output process includes a process of generating image-format data in which the display content of the document is expressed as an array of a plurality of pixels,
The output processing history includes an image format history configured with the image format data, and a character format history configured with character information,
The first determination process is a process of determining whether the output process corresponds to the process of the monitoring target based on the history of the character format included in the history of the output process,
The second determination process is based on the image format history included in the output process history and the image format data of the confidential document, and determines whether the output process corresponds to the monitoring target process. The confidential document monitoring device according to claim 1, further comprising a process of determining whether or not the confidential document is monitored. The character-format history includes an operator ID instructing execution of the output process,
3. The confidential document monitoring device according to claim 2, wherein the determination unit determines whether the output process corresponds to the process to be monitored based on the operator ID in the first determination process. 4.   The confidential document monitoring device according to claim 2, further comprising an image conversion unit configured to convert the confidential document into the image format data. In the second determination process, the determination unit determines which of the plurality of types the output process corresponds to, based on classification information in which the processes to be monitored are classified into a plurality of types in advance. And
The confidential document monitoring device according to any one of claims 1 to 4, wherein the execution unit changes the content of the measure according to the type to which the output process corresponds.   6. The confidential document monitoring device according to claim 5, wherein the countermeasure includes a process of notifying a preset notification destination that the process of the monitoring target has been executed. A registration unit for registering the document as a confidential document in the storage unit in order to make the document a monitoring target for security management;
An acquisition unit that acquires a history of the output process indicating that the output device that outputs the document has executed the output process,
A determination unit configured to determine whether the output process is a process related to the confidential document and corresponds to a process of a monitoring target whose content is set in advance; a first determination process; In the determination process, the second determination process is performed when a determination result that the output process does not correspond to the process to be monitored is not obtained, and the second determination process is longer than the first determination process. A determining unit for performing the processing;
An execution unit configured to execute a preset measure when it is determined in the second determination processing that the output processing corresponds to the monitoring target processing;
A confidential document monitoring program for causing a computer to function as a confidential document monitoring device including   A confidential document monitoring system, comprising: at least one output device including an output unit that executes an output process for outputting a document; and the confidential document monitoring device according to claim 1.